Portable Devices and HIPAA

Key Takeaway:

Portable devices and HIPAA are not the best of friends. The advent of portable devices as a means of information sharing has spawned the need to look at the HIPAA Security Rule afresh.

The use of portable devices such as smartphones, tablets, iPads, iPhones, and Blackberry for patient communicating is a trend that is catching up like wildfire in the US healthcare sector. This may be great news for the healthcare fraternity, given the degree to which the speed of information sharing is hastened. But it also brings in its wake its own unique challenges and concerns as far as HIPAA is concerned, because patient health information security and privacy are the edifice on which HIPAA is built.

A new dimension to the HIPAA Security Rule

It is accepted that the risk of unauthorized disclosure of Protected Health Information (PHI) by anyone in the healthcare loop is higher when information is held in portable devices, because portable devices store data on the device in multiple ways -within the device and in its memory chip.

These devices are designed to record a copy of the data it receives or transmits. What also makes information security from portable devices difficult, if not impossible, is that the widely used methods of encryption software and related authentication measures cannot be used in mobile devices for restriction of data. All these bring portable devices and HIPAA Security Rule at loggerheads with each other, so to speak.

A freshened look at HIPAA safeguards

The challenges associated with portable devices and HIPAA necessitate a fresh look at the traditional HIPAA safeguards, namely administrative,technical and physical safeguards. In the light of portable devices and HIPAA being a challenge to each other, one needs to reframe these safeguards in new light:

Administrative: Keeping constant and permanent vigil is the only true method of ensuring that portable devices and HIPAA are compatible with each other. Periodic risk assessments have to be conducted of all security aspects of the mobile devices in use in healthcare facilities. Healthcare providers may have to:

  • Put in place an automated process to make sure that an unauthorized entrant does not destroy or alter the ePHI
  • Establish procedures and processes for protecting ePHI in a mobile device environment effectively. Mobile device use could go through upgraded security breach and encryption routines at the healthcare settings
  • Portable devices and HIPAA could become more meaningful when employees and stakeholders of ePHI are trained on access to ePHI using mobile devices, the consequences of data breaches, HIPAA fines and penalties, etc.


Some of the ways by which technical safeguards can be amended to make portable devices and HIPAA work with each other could include:

  • Regularly installing malware and updating at frequent intervals
  • The installation of strong firewalls
  • Encrypting metadata and ePHI
  • Using authentication tools that are biometric in nature


Portable devices and HIPAA become much more manageable when healthcare providers also ensure that they implement physical safeguards. Some of these:

  • Maintaining an inventory of all mobile devices being used in the healthcare setting with details of transmission of ePHI data and access
  • Keeping mobile devices in secure locations and locking them
  • Having radio frequency identification (RFID) tags help locate stolen or lost portable devices and go a long way in ensuring that portable devices and HIPAA can work in tandem.
Click Here to Explore More